Displaying service version information might look cool, but it is definately not a good idea. There are numerous malicious folks out there that will use this version information to search for the proper exploits to gain access to your machine.

Retrieving version information for a running service is very simple. A simple telnet to the service will do the trick. Try it out on your local SMTP server. Wait for a zero-day exploit for that specific service and *bang* you own it.... or you are owned.

Without the service version information, the bad guy can only guess, and will have to try multiple times, possibly revealing himself. This, in a way, will buy time and prevent certain bad things from happening, but it doesn't say you no longer require to update the services when they are vulnerable.

This document describe the modifications which need to be made to remove version information from services like OpenSSH, sendmail, etc. Some of these require simple modifications to a configuration-file, while others need to have some source-code modified.

Possibly more will be added. If you feel something is missing or you have any other useful additions to this document, just drop me a line.

OpenSSH
Modifying the version of this open source SSH implementation has become quite simple. Within the source-tree of OpenSSH locate the following file:

Code:

openssh-3.x/version.h

This will say something like this:

Code:

#define SSH_VERSION "OpenSSH_3.x"

This value be changed into anything of your liking:

Code:

#define SSH_VERSION "SSH_x.x"

Recompile and reinstall the binaries, making proper precautions not to lock yourself out if logged through the service you want to upgrade. Telnet to the port 22 to check out your brand new banner.

Sendmail
Sendmail doesn't require no modifications to source-code whatsoever. A facility for modifying the banner is present in the configuration-file (sendmail.cf).

Open the file /etc/mail/sendmail.cf (or another location, depending on your distribution or how you installed it). There is a good chance the option is already in there, but commented out:

Code:

#O SmtpGreetingMessage=$j Sendmail 9.x.x / 8.x.x; $b

The $j will be repaced by the status-code and server identification (i.e. ``220 smtp.domain.com ESMTP''). Some mail-clients require this; a server-error might occur otherwise. The $b will be replace by the built-date. You could change this to:

Code:

O SmtpGreetingMessage=$j Mailserver; Thu, 1 Jan 1970 01:00:00

Restart the sendmail daemons and you are ready to go. Telnet to port 25 to see your new banner.

UW ipopd / imapd
These are part of PINE, and deliver POP2, POP3 and IMAP services. To strip version information from these, the source-code needs to be modified. Within the PINE source-tree locate the following files:

Modifying these is quite straight-forward. In all these files there is a line which says:

Code:

char *version = "2003.xx";

This can be changed into anything you want:

Code:

char *version = "a.b";

Recompile and install the binaries into their required location and you are ready to go. Note that these services could be in use, so the operating system might refuse to overwrite them. Kill the services and retry.

Apache 1.3
For Apache 1.3.x you need to locate the following file within the Apache source-tree:

mod_ssl
Just like PHP4, mod_ssl also adds some version information to the Webserver banner.

Also, if you have version-patched Apache, the configure script that came with mod_ssl will fail, because the version-check fails. It will output an error like 'This was meant for Apache 1.3.29, but you have got Apache a.b.c.".

To fix this, open the `configure' script and search for APV a couple of times. When you see the 'This was meant for Apache 1.3.29' error, you are there. Just above the ``if'' insert the following line:

Code:

APV="1.3.29"

This will fool mod_ssl into thinking it's ok, and apply the patches.

OK, on to removing version information from mod_ssl. After applying the patches to the Apache source-tree, locate the following file:

Well it's always good to do more stuff so crackers get it tougher to get into your system but some people think that it's enough just to change the banner of the program and they are safe. dont go down that line..
Security by obscurity is a bad thing.

Hi there,
I have tried changing the banner of my proftpd with:
ServerIdent on "Welcome home"
or
ServerIdent off
in my /etc/proftpd.conf - works both fine.
When i connect it shows no more proftp information.
But nmaping still says:
21/tcp open ftp ProFTPD 1.2.8
I know nmap does more tests on a server than just looking at the banner, but how could I hide my version from nmap?

There's another way to modify Apache banner's w/o editing source code. Some of you may be uncomfortable editing source code, or don't have the time or window of opportunity to recompile. In this case you could use the ServerTokens directive in httpd.conf. While this method is very useful it is not as good as hugo's. Using ServerTokens at its "highest" setting will still show the server type during a banner grab (Apache). This may be acceptable since it also removes any mod banners as well. Still, for full obscurity, you may want to use hugo's suggestion (combined with ServerTokens maybe?)

Quote:

ServerTokens directive
Syntax: ServerTokens Minimal|ProductOnly|OS|Full
Default: ServerTokens Full
Context: server config
Status: core
Compatibility: ServerTokens is only available in Apache 1.3 and later; the ProductOnly keyword is only available in versions later than 1.3.12
This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.